QUESTION & ANSWER

Cryptography's future

By Bill Brenner, Senior News Writer 28 Feb 2008 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

You're planning to give a presentation on Symmetric Key Infrastructures (SKI) and how it will likely play an even more important role in IT security than Public Key Infrastructures (PKI) in the years ahead. Talk about the differences between PKI and SKI and why SKI may grow in importance going forward.

Kaliski: Both PKIs and SKIs are concerned with full lifecycle management for cryptographic keys: creation and distribution, archive and recovery, revocation and deletion. In SKIs, the keys must be kept secret. A key needs to be available either to a single principal or a small group of principals who share the key. Public keys in PKIs, of course, can be made public and available to everyone. Private keys in PKIs, on the other hand, must be kept secret. A private key generally needs to be available only to a single principal, and is not shared.

Most of the application of cryptography to date has been for data "on the fly"--over networks or via email. Here, the encryption and decryption typically happen when the data is sent or received, or the message is sent or opened. The keys are identified and already available to the principals involved in the process. The data is typically encrypted with a symmetric key, where the symmetric key is conveyed using public-key techniques. However, the symmetric key itself does not need to be managed explicitly. The only long-term secret that needs to be managed is usually a PKI private key, and it generally needs to be available only to a single principal.

The renaissance of SKIs is due to the emerging emphasis on applying cryptography to data "at rest"--in a database or on a disk or tape. Here, the decryption might happen a long time after the encryption, and by a principal not involved when the data was originally encrypted. The symmetric key in this case typically does have to be managed explicitly. Furthermore, the key may need to be available to more than one principal. Managing these keys thus requires a richer and more complex infrastructure than for PKI private keys.

What are some concrete aspects of SKI that could help IT professionals secure their companies against today's threats? How could the features make the business of security easier on them?

Kaliski: If data compromise is the threat, encryption is a countermeasure -- but it's only effective if the decryption keys are available when needed to the parties that need them, and available only to them and no one else. In this sense, decryption keys are another information asset that IT professionals need to manage. SKIs can help IT professionals manage them more easily and effectively. Your company's management and your customers may be telling you, "Encrypt the data." It's a lot easier to do so if you have an infrastructure for managing the keys.

What do you expect to be some of the highlights at the RSA show in terms of speakers and topics?

Kaliski: As usual, I'm expecting the show to be an informative event that gives motivation for the year ahead. Innovation has always been an underlying theme for the conference, but the 2007 event is bringing it to the forefront with a lineup of keynote speakers. In addition to senior executives from major IT companies, Gen. Colin Powell, Ray Kurzweil and IDEO's Tom Kelley will be presenting their expert perspectives on innovation in today's world. Additionally, the RSA Conference has added an entire track on consumer protection to address the increasing need for the information security industry to approach applications from the consumer's standpoint. I'll be moderating the cryptographers' panel once again. Finally, for the more technically oriented, we continue the cryptographers' track, an academic research workshop within the conference, chaired by Masayuki Abe of NTT.

Tags: Data encryption techniques,  Data Protection Essentials,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data encryption techniques How to secure data backup Too many encryption methods make secure communications difficult Massachusetts data protection law has mixed impact on financials RBS WorldPay agrees to market VeriFone end-to-end encryption Download presentations from Financial Information Security Decisions 2009 Data encryption: Pre-implementation best practices Data encryption: Lessons learned from implementation Data encryption: Q&A with Eric Leighninger Community banks to increase security spending, survey finds Lessons learned: The State Street Corp. breach Data Protection Essentials By addressing data privacy, companies avoid public scrutiny Lessons learned: The LendingTree case Lessons learned: The Countrywide Financial breach The Societe Generale fraud story: Keith White on fraud Institutionalizing risk management for ongoing management support Risk assessments: Internal vs. external Putting risk analysis into words Lessons learned: The Texas Insurance Claims Services case Lessons learned: The Montgomery Ward breach Lessons learned: The Citibank ATM breach

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary